FirewallScript has just launched a software-based security service that can be used on any server that supports PHP5, and even provides support for shared hosts.
The firewall is very similar in function to the popular open source firewall ModSecurity, but according to co-founder Ron Myers, there are some important differences. For one, a ModSecurity installation is server-wide, meaning that nobody on a shared hosting plan is able to install or modify its settings. This inevitably leads to problems, because ModSecurity tends to take a generalized approach to protection which may conflict with valid applications run by users who are unable to disable it.
In contrast, FirewallScript can be installed by any user on a server, even under a shared hosting plan. All users can install or modify their security settings at will, and FirewallScript offers ‘Rule Packs’ which are pre-configured for certain web apps like WordPress and vBulletin. This allows users to tailor their security to cover things that applications like ModSecuity may have mishandled. Installation is also a breeze, requiring only a simple install script and a minimal amount of technical knowlege.
I think that FirewallScript could have a place in the market, given that the vast majority of small-time sites are hosted on cheap shared hosting plans. But I question how many people will be unsatisfied with the security their plans already provide, or how many will care about security to begin with. For those that are interested, enter the code ‘techcrunch’ for 50% off the normal price of $85.
Amazing, just amazing.
I still think ModSecurity is better!
You’re so wrong Trav, ModSecurity is outdated, it’s nice to finally have a fresh face for those of us who need a good solution on shared hosting! This gets my vote.
TechCrunch comment of firewall script {seesmic_video:{”url_thumbnail”:{”value”:”http://t.seesmic.com/thumbnail/MuZTAKrfqw_th1.jpg”}”title”:{”value”:”TechCrunch comment of firewall script ”}”videoUri”:{”value”:”http://www.seesmic.com/video/2BNfGNSYQY”}}}
@4 – Technically, Techcrunch itself is on shared hosting. What if they wanted a web application firewall? Tough shit?
Damn, I read this article thinking, I’m gonna install this thing right now, then I got to the bottom and realized it wasn’t free. With all the comparison to modsec I kept thinking this thing was free and open source.
Wrong business model, make that open source and top it with professional commercial services, klabang there you go.
Picking Mambo over Joomla! makes me wonder how up to date this service is.
Arno
Whilst it might look good, it wont do any good. There are many firewall packages that are complied code and run fast enough to not cause any
overhead to the system.
The idea to be user based config is good but it will add i guess an extra 50-100 ms to the site.
After seeing this was not open source I went hunting on the web and found this:
http://munin.xqus.com/
As a web hosting company, we know that 99.999% of customers don’t consider the security risks contained in script installation, and for them to personally go out and purchase an $85 script, I can’t see it happening.
If mod_security is configured correctly, with a good ruleset it ultimately provides better security (server wide instead of domain wide) than this could.
@Josh , mod_security is based on rule sets, exactly the same as this script, so if you think that mod_security is outdated, you’ve just classed a product which runs on the same type of rules as outdated
Are you kidding? An $85 script that “guarantees 100% security”.
I’ll give away the secret of 100% protection for free: unplug your server from the internet.
Jason, did you check out their testimonials?
“People think my site is weird because it’s about the supernatural. But they’re out there! Sometimes the extraterrestrial see our website and try to hack it to avoid the information we reveal about them.”
While the company says this is great for shared web hosting environments, I wonder what kind of load it would generate for each and every page view, in addition to regular page loads.
You also have to put a ‘copyright’, or notice on your page saying you use the product, which is just inviting trouble.
@10 – How can Modsec be used with tight rules, when the admin cant control whats on his server? You cant globally disallow the word “Javascript” in the URL bar, because some legit scripts might use it. With this software, the admin knows exactly what he has, and can narrow down security to be much tighter than a server admin could, hence why it beats modsec in many areas. Modsec has to be vague and general (Especially on shared hosting) or it would cause so many errors with users installed scripts it wouldnt be funny. This does not.
So users are expected to know what coding elements aren’t used in the scripts that are installed so they can add them in to the firewall php script?
I’ve set to see a single exploit attempt in the last 6 years which uses the term ‘javascript’ in the URL bar, I think that’s a poor example. Anyone who developers their own scripts can block certain terms from being used in the URL bar with suitable coding, they don’t need to fork out $85 for it.
I personally still don’t see why TC covered this, there’s better PHP scripts developed every minute of the day.